Separate accounting server

ABSTRACT

A method of providing an accounting service in a mobile communication system, comprising the steps of: accessing (M 1 , M 2 ) a chargeable functionality of said communication system by a user (U), by authenticating said user (U) by a authentication/authorization server (AA-S), and authorizing said access of said user (U) by said authentication/authorization server (AA-S); and indicating (M 2 ) an accounting server (ACC- 1 ) for the user (U) by said authentication/authorization server (AA-S), wherein said accounting server (ACC- 1 ) is physically separated from said authentication/authorization server (AA-S).

FIELD OF THE INVENTION

The present invention relates to a method of providing an accountingservice in a mobile communication system by utilizing a separatedaccounting server.

PRIOR ART

Presently considered AAAC (authentication, authorization, accounting andcharging) architectures deal with the handling of information requiredto ensure that a mobile node, mainly a mobile host, is correctly grantedaccess to networking resources in an Internet domain, which it normallydoes not belong to. In addition, they deal with the data that arecollected to provide charging for the service used by the mobile node.

Next to the underlying technology, the business model to be deployed hasan impact on the AAAC architecture. This may be the service concept,i.e. which services shall be provided at which quality. However, alsocharging strategies like pre-paid charging, which gained a lot ofsubscribers in the GSM market, have different requirements to the AAACarchitecture than traditional postpaid charging concepts. Especially theprepaid charging concept rises up timely critical policing requirementswhich could be both, provider-centric or subscriber-centric. Soperformance and scaleability issues play an important role on an openand scaleable AAAC architecture supporting various service provisioningconcepts. Basically, the AAAC architecture can be regarded from twopoints of view: the user and the provider perspective. Withoutdiscussing it in any detail or explicitly the subscriber perspective isprovided by his QoS and mobility requirements. User view's requirementsare at some stages of interest, but the complexity of allowing foraccess and mobility will basically remain similar for the AAACarchitecture.

Specifically, FIG. 1 shows a simplified overview of a present AAACarchitecture. It consists of AAAC systems which can be either an AAACserver (AAAC-S) or an AAAC client (AAAC-C). The protocol to be operatedbetween the AAAC server and the AAAC client is termed AAA protocol,which may be an enhanced version of either RADIUS ( ) RemoteAuthentication Dial-In User Service) or DIAMETER (the follow-up toRadius). An AAAC client has no services to offer, however, instead itcan request services using the agent authorization model. An AAAC serveroperates an interface to several application-specific modules (ASM),which provide a service or a functionality (e.g., interface to MobileIP, Quality-of-Service, content service). The AAAC server also has aninterface to external authentication modules to be able to use differentauthentication techniques.

SUMMARY OF THE INVENTION

Placed before this background, the present inventor recognized theobject of the present invention to provide a method with which anaccounting service in a mobile communication system can be performed,when the accounting part is separated from the authentication andauthorization nodes.

Accordingly, there is provided a method of providing an accountingservice in a mobile communication system, comprising the steps ofaccessing a chargeable functionality of said communication system by auser, by authenticating said user by a authentication/authorizationserver, and authorizing said access of said user by saidauthentication/authorization server; and indicating an accounting serverfor the user by said authentication/authorization server, wherein saidaccounting server is physically separated from saidauthentication/authorization server.

The mentioned chargeable functionality can be a visited network of saidmobile communication system or a service of said mobile communicationsystem.

As an implementation of the present invention said accessing step can beperformed by sending an authentication/authorization request messagefrom an authentication/authorization client to which said user iscurrently attached to said authentication/authorization server whichreplies by sending an authentication/authorization answer message tosaid authentication/authorization client, and wherein said answermessage includes said indication of an accounting server for said user.

In this case, said authentication/authorization server can directlyindicate said accounting server to said authentication/authorizationclient which is handling said user and keeps a corresponding account.

Consequently, there can be a further step of requesting an accountingfor said chargeable functionality from said indicated accounting serverby said authentication/authorization client.

According to the present invention, it is preferred that, during saidaccessing step, said authentication/authorization client receives aticket indicating that said user has been granted to access saidchargeable functionality, and said ticket is sent to said accountingserver which checks whether accounting for said user is to be started.

In this case, said ticket can contain at least one of the information:to which user it belongs, when the access was granted, for how long theaccess was granted, and from which client the access was granted.

Moreover, said ticket is preferably signed by theauthentication/authorization server so that it is verified to theaccounting server that the authentication/authorization server reallyhas made the ticket.

More details as well as advantages of the present invention are apparentfrom the following detailed description of the preferred embodimentsthereof which are to be taken in conjunctions with the appendeddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a simplified authentication, authorization, accounting andcharging architecture as adopted according to the prior art; and

FIG. 2 shows an authentication, authorization, accounting and chargingarchitecture as adopted according to the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention is of a general nature and has been made in viewof the 3GPP (3^(rd) generation partnership project) and 3GPP2 systems.In 3GPP, the Diameter protocol, which is the protocol used in the AAAframework, is used in the IMS (IP multimedia subsystem) in the Cxinterface which is between the I/S-CSCF (interrogating-/serving-callstate control function) and the HSS (home subscriber service) for theAAA purposes. For charging purposes (for simplicity, charging mayconsidered as being roughly the same as accounting), e.g. on-linecharging, the Diameter protocol may be used in 3GPP. The charging nodesare separated from the authentication and authorization nodes which arethe S-CSCF and the HSS.

When a user accesses a network (or a service, e.g. the sessioninitiation protocol—SIP) the user is authenticated and together withthat the network authorizes the access to the network, e.g. based onroaming agreements, etc. For this purpose, the AAA infrastructure can beused.

Reference is made to FIG. 2 where anauthentication/authorization/accounting client AAA-C within a visitednetwork to which a user U is attached requests the AAA service from theauthentication/authorization server AA-S within a home network of theuser U (message M1). Once the user U is authenticated and authorized,the authentication/authorization server AA-S grants access to thenetwork (message M2). It is remarked that this may require more than oneround-trip between the authentication/authorization/accounting clientAAA-C and the authentication/authorization server AA-S.

In the message M2, the authentication/authorization server AA-S mayindicate the accounting server ACC-1 for the user U where to send calldetailed records (CDR) or which handles on-line charging services (e.g.pre-paid). Currently this is not possible in the Diameter protocol. Thishas the benefit that the authentication/authorization server AA-S canindicate directly the accounting server ACC-1 (out of several possibleones, indicated by ACC-1, ACC-2) which handles the user U and has theaccount for him/her.

As a preferred embodiment of the present invention, it is proposed thattogether with the above the authentication/authorization server AA-Sgives a ticket to the authentication/authorization/accounting clientAAA-C which needs to be send to the accounting server ACC-1 (message M3)to inform that the user U has been granted to access the network (orservice). This ticket may contain information about:

-   -   To which user it belongs;    -   When the access was granted;    -   For how long the access was granted;    -   From which authentication/authorization client the access was        granted;    -   Etc.

Preferably, the ticket should be signed by theauthentication/authorization server AA-S in order that the accountingserver ACC-1 can verify that the authentication/authorization serverAA-S really has made the ticket.

Because it is likely that the authentication/authorization server AA-Sand the accounting server ACC-1 are in the same domain some of theshared secret mechanisms can be used within the home domain. Also apublic key mechanism can be used. Theauthentication/authorization/accounting client AAA-C only has to passthe ticket to the accounting server ACC-1.

The accounting server ACC-1 uses the ticket to check whether it is okayto start accounting for the user U. If this kind of ticket is not sendto the accounting server ACC-1 it does not know whether the user hasbeen really authenticated and/or authorized for access by the (home)authentication/authorization server AA-S. In this case, the accountingserver ACC-1 must rely on the authentication/authorization/accountingclients AAA-C. This may have a possible security thread, because therecan be many authentication/authorization/accounting clients AAA-C invarious places which can be connected to the AAA infrastructure via somebrokers. This increases the thread for malicious users to enter thesystem.

It is remarked that, as indicated in FIG. 2, the messages M1, M2 and M3can also be sent via a proxy/relay P/R.

As mentioned above, the present invention allows to directly indicatethe correct accounting server for the user if it is known in theauthentication/authorization server, and the accounting server isprovided separately to the authentication/authorization server. Thisallows to verify if the user was authenticated and authorized in the(home) authentication/authorization server by the separate accountingserver.

What is described above is a method of providing an accounting servicein a mobile communication system, comprising the steps of: accessing M1,M2 a chargeable functionality of said communication system by a user U,by authenticating said user U by a authentication/authorization serverAA-S, and authorizing said access of said user U by saidauthentication/authorization server AA-S; and indicating M2 anaccounting server ACC-1 for the user U by saidauthentication/authorization server AA-S, wherein said accounting serverACC-1 is physically separated from said authentication/authorizationserver AA-S.

While it is described above what is presently considered to be thepreferred embodiments of the present invention, it is apparent to thoseskilled in the art that various modifications are possible withoutdeparting from the spirit and scope of the present invention.

1-13. (canceled)
 14. A method of providing an accounting service in amobile communication system, comprising the steps of: accessing achargeable functionality of said communication system by a user, byauthenticating said user by a authentication/authorization server, andauthorizing said access of said user by saidauthentication/authorization server; and indicating, by saidauthentication/authorization server, a specific accounting server out ofseveral possible ones dependent on the user, wherein said accountingserver is physically separated from said authentication/authorizationserver.
 15. A method according to claim 14 wherein saidauthentication/authorization server is in a home network of said user.16. A method according to claim 14, wherein said chargeablefunctionality is a service provided in a visited network of said mobilecommunication system.
 17. A method according to claim 14, wherein saidchargeable functionality is a service of said mobile communicationsystem.
 18. A method according to claim 14, wherein said accessing stepis performed by sending an authentication/authorization request messagefrom an authentication/authorization client to which said user iscurrently attached to said authentication/authorization server whichreplies by sending an authentication/authorization answer message tosaid authentication/authorization client, and wherein said answermessage includes said indication of said specific accounting server forsaid user.
 19. A method according to claim 14, wherein saidauthentication/authorization server directly indicates said specificaccounting server to said authentication/authorization client, whichspecific accounting server is handling said user and keeps acorresponding account.
 20. A method according to claim 14, comprisingthe further step of requesting an accounting for said chargeablefunctionality from said indicated accounting server by saidauthentication/authorization client.
 21. A method according to claim 20,wherein, during said accessing step, said authentication/authorizationclient receives a ticket indicating that said user has been granted toaccess said chargeable functionality, and said ticket is sent to saidaccounting server.
 22. A method according to claim 21, wherein saidaccounting server checks whether accounting for said user is to bestarted.
 23. A method according to claim 21, wherein said ticketcontains at least one of the information of the group of: to which userit belongs, when the access was granted, for how long the access wasgranted, and from which client the access was granted.
 24. A methodaccording to claim 21, wherein said ticket is signed by theauthentication/authorization server so that it is verified to theaccounting server that the authentication/authorization server reallyhas made the ticket.
 25. A system for providing an accounting servicecomprising means adapted to perform a method according to claim
 14. 26.An accounting server device comprising means adapted to performrespective steps of a method according to claim 14.